HQ/EMEAFind out how we can help your business
The Dutch Data Protection Authority has fined Uber Technologies Inc. and Uber $325 million over GDPR infringement.
The authority accuses Uber of relocating personal data from the European Economic Area (EEA) to servers in the United States without necessary protections, as defined in Chapter 5 of the General Data Protection Regulation.
This case is the third time the Dutch Data Protection Authority has imposed an administrative fee on Uber.
Uber has faced various fines in the past for similar data-safety relations.
The first Uber fine was € 600,000 in November 2018 for inadequate data access controls. The second was € 10,000,000 in January for Uber’s unclear data management methods while processing data from EU citizens.
The AP’s investigation into Uber’s data practices was prompted by concerns from French drivers and escalated to the AP by the French data protection authorities (CNIL). The issue emerged when the Court of Justice of the European Union’s Schrems II verdict invalidated the EU-US treaty.
Despite the verdict, Uber allegedly continued to transmit personal data to the US without using Standard Contractual Clauses (SCCs) or other safety procedures, violating GDPR Article 44, which requires data transfers to third countries to offer similar protection within the EU.
This case is the same infringement for which the Irish Data Protection Commission (DPC) fined Facebook a staggering $1.3 billion. More recently, the Swedish Authority for Privacy Protection (IMY) punished four companies with $1.1 million for similar offences while utilising Google Analytics.
On the other hand, Uber claimed that Chapter V of the GDPR did not apply because Article 3 already extended the regulation’s protections to their processing activities in the United States. Furthermore, the tech business claims that no data transfer occurs, as defined by GDPR, because drivers give their information directly to Uber’s US-based servers through their application.
Still, the AP dismissed those arguments and proceeded to enforce the fine. Uber argues that its data handling policies, as outlined in its privacy notice, comply with GDPR. Lastly, it regards data exchanges between users and Uber as an essential component of its services.
